Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:40 AM
Connect Directly

Clickjacking Defense Will Require Browser Overhaul

The researchers who discovered the new clickjacking attack say fixes won't likely be coming soon

If you’re looking for a quick fix to protect your users from the new major “clickjacking” Web threat, it’s either disable all JavaScript, ActiveX, plugins, and iFrames, or revert back to an old-school text-based browser (think Linx). In other words, forget graphics or Web 2.0.

A no-GUI browser obviously isn’t realistic, but even disabling the cool features of the Web won’t guarantee protection from this invisible and potentially lethal Web-borne attack, according to Jeremiah Grossman and Robert (RSnake) Hansen, the researchers who discovered it. “There’s no way to avoid it,” says Grossman, CTO of WhiteHat Security . “It’s going to happen… that’s the problem with it.”

Grossman says he plans to finally go public with the details of this new form of clickjacking later this month at the Hack In The Box conference in Kuala Lumpur, Malaysia -- he and Hansen agreed to hold off on disclosing their new findings at last month’s OWASP USA security conference after Adobe requested time to patch an application found to be affected by the attack. (See Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)

The clickjacking concept is nothing new, but the threat that Grossman and Hansen discovered is. It spans multiple browser families and doesn’t even require that a user click on anything. Just loading a compromised page sets off the attack, and clicking on that page will likely make things worse for the victim, they say. “And whether JavaScript is on or off, it will affect you,” he says.

The attacker can slide any malware underneath the mouse such that the user has no idea he or she is in the danger zone. So on the Website, a user could click on a bad link chosen by the attacker and the user would have no clue because the URL is invisible to them. A commonly used button on a Website could be loaded with this attack, for example, so that the user would be most likely to click on it and then get further compromised, the researchers say.

Clickjacking is both a Web and a browser problem, but the fixes likely need to come from the browser vendors. But Hansen, founder of SecTheory LLC, says it’s not a single line of code-type fix -- it goes to the way browsers work.

“A true fix would likely require a complete rearchitecting of the browser,” Grossman says. “Those things don't happen quickly -- or maybe ever.”

The researchers have written “generic exploit code” of the attack, which Grossman will demonstrate via a video at Hack in the Box.

Paul Henry, lead forensic investigator for Forensics & Recovery LLC, says clickjacking and other Web threats are not just browser issues -- users aren’t installing the latest browser versions and patches. “We do not necessarily have a browser issue here -- we first and foremost have a browser and plugin patch management issue,” Henry says. “Patch our browsers and associated plugins, and you will dramatically impact Web-borne malware.”

Henry says Firefox 3.03 with a plugin called NoScript "absolutely rocks and is my browser of choice."

NoScript is a Firefox plugin that, among other things performs whitelisting of trusted sites, letting them run JavaScript and plugin content, but can also ban plugins and IFRAMEs on trusted sites as needed, says Giorgio Maone, a security expert who wrote NoScript. It basically lets the user click to enable these features on trusted sites and then “learns” those choices so that it does so automatically.

“If they [users] disable scripting, plugins, and frames all together, they're safe. This is a guaranteed way to protect against it, but a good portion of the Web becomes less usable,” he says. “NoScript and, to a minor extent, Opera's ‘Site Preferences,’ provide an easy and quick way to ‘default deny’ dangerous technologies while keeping usability on sites we trust.”

Maone maintains that the browser isn’t to blame for clickjacking. It’s the Web features we rely on today, he says. “Specifically, the abilities to incorporate documents, multimedia clips, and applets from different sources in the same page through frames and plugin embeddings, or to change the appearance and the position of every element of the page even dynamically using JavaScript and CSS, are something Web authors heavily rely upon today, but they're also the culprit of this and other security issues,” he says.

“The browser is really not to blame, at least in this case, because there's no ‘bug’ involved -- it’s just a flaw in the physiological way the modern Web is supposed to work,” Maone says.

Still, it doesn’t help that browser vendors are basically reacting to new threats rather than preempting them in their products, says Agnelo Fernandes, technical head for MicroWorld Technologies USA. “They are always in firefighting [mode],” he says.

Meanwhile, Grossman isn’t confident that browser vendors will come up with fixes any time soon. He says he doesn’t expect any comprehensive solutions for a year or more, although there may be some defensive fixes released sooner.

Mozilla and Microsoft say they’re currently investigating the issue. Bill Sisk, security response communications manager for Microsoft, said in a statement that the software company “will take steps to determine how customers can protect themselves should we confirm the vulnerability” and then either release a security update or tips for customers to protect themselves.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security
  • SecTheory LLC
  • Mozilla
  • Microsoft Corp. (Nasdaq: MSFT) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-11
    ** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
    PUBLISHED: 2021-05-11
    The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
    PUBLISHED: 2021-05-11
    The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
    PUBLISHED: 2021-05-11
    The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
    PUBLISHED: 2021-05-11
    An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...